Understanding the LDAP Directory

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Opening the AWS Cloud9 IDE
lock
Installing HashiCorp Vault
lock
Starting the Vault Sever in Development Mode
lock
Understanding the LDAP Directory
lock
Creating Vault Policies for the Organization
lock
Configuring Vault LDAP Authentication
lock
Testing the LDAP Authentication and Access Policies
lock
Validate AWS Lab
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

This Lab provides a ready-to-use LDAP server that is accessible at ldap.ca-lab.private within the Lab's VPC. You will use the existing organization directory to authenticate users in HashiCorp Vault later in this Lab. The server is an EC2 instance running OpenLDAP, but any other LDAP service could also be used, such as Microsoft's active directory or AWS Directory Service. The simulated organization directory that is accessed over LDAP is depicted in the following directory tree diagram:

alt

The directory schema is based on internet domain naming. The top-level domain component (dc) entry of private is used to indicate the directory is used only to be used for the purpose of this Lab. In practice, you may have com or net as the top-level dc entry. For simplicity, the ca-lab organization (o) is arranged in a single organization unit (ou) called Users. There are two users with common names (cn) of Jeremy Cook and Logan Rakai. Jeremy is a member of the Engineering group, and Logan is a member of the Research group.

The remainder of this Lab Step will confirm the directory is available, and matches what is displayed in the above image.

 

Instructions

1. In the Cloud9 terminal, install the openldap-clients package that includes the ldapsearch utility:

Copy code
sudo yum install -y openldap-clients

 

2. Run the following ldapsearch query to list the directory entries in the ca-lab.private organization's directory:

Copy code
ldapsearch -H ldap://ldap.ca-lab.private -x -LLL -b dc=ca-lab,dc=private

alt

If the server was configured with LDAP over SSL, you would use ldaps:// for the host protocol instead of ldap://. Take a minute to confirm the information matches what you expect based on the provided directory tree diagram. You can see additional information in the entries, such as the user IDs (uid) of Jeremy and Logan are jcook, and lrakai.

 

Summary

In this Lab Step, you learned about the LDAP directory structure that the Cloud Academy Lab environment has created. You confirmed the directory is accessible at ldap.ca-lab.private from within the Lab VPC.